THEIA LogoTheia Jobs

    API & ATS INTEGRATION ADDENDUM

    Parties: THEIA JOBS, Corp ("THEIA") and [Client Legal Name] ("Client")
    Effective date: [DATE] | Order Form: [REFERENCE]

    1. Access & Credentials

    THEIA issues API keys/webhook secrets to Client’s tenant. Client must keep credentials confidential and use them only as permitted. THEIA may rotate keys and enforce authentication requirements.

    Client-supplied ATS credentials. If Client provides ATS API keys, OAuth tokens, service accounts, or similar credentials for a third-party ATS, THEIA will use them solely to operate the Integration as instructed by Client and subject to this Addendum and the DPA.

    1.1 Credential Security & Handling

    • Storage. Credentials are stored in a dedicated secrets manager and encrypted at rest; transmission occurs over TLS 1.2+.
    • Access control. Principle of least privilege; access limited to systems and personnel necessary to operate the Integration. Access is logged and auditable upon request.
    • Use limitation. Credentials are not used for any purpose other than the Integration, are not copied into logs or tickets in plain text, and are not shared with third parties except approved subprocessors listed in the DPA.
    • Rotation & revocation. THEIA supports rotation on request and will cease use immediately upon Client revocation. On termination or disconnect, THEIA deletes stored credentials within 7 days.
    • Emergency access. Any break-glass access follows documented approvals and is logged.

    2. Rate Limits; Fair Use

    THEIA may apply rate limits and throttling to protect platform stability. Client will not exceed published limits; sustained overages may be limited or suspended with notice.

    3. Data Mapping & Minimization

    Client will configure field mappings and send only data necessary for hiring. Client is responsible for the lawfulness of data it transmits (including any sensitive fields). THEIA may reject disallowed fields.

    4. Webhooks; Retries; Idempotency

    Webhooks are signed (e.g., HMAC); Client must validate signatures and serve HTTPS endpoints. THEIA retries failed deliveries at least 3 times with exponential backoff. Client should implement idempotency to avoid duplicates.

    5. Dependencies; ATS Terms

    Integrations may rely on third-party ATS APIs. Client’s ATS use remains subject to ATS terms. THEIA is not liable for ATS outages, schema changes, or deprecations.

    6. Security

    TLS 1.2+; least-privilege access; encryption in transit/at rest. IP allowlisting available on request. Pen-test or SOC/ISO summaries may be shared under NDA.

    Logs & support. Operational logs exclude secrets. Temporary access for support is time-bound and logged.

    7. Privacy; DPA

    The DPA applies to Integration data. THEIA acts as service provider/processor for Integration data, will not sell/share Integration personal information, and will use it only to provide the Integration, security/fraud prevention, and to generate de-identified analytics as permitted by the DPA. Each party will promptly notify the other of data subject requests relating to Integration data and cooperate to meet statutory deadlines.

    8. Incident Response

    As set out in the DPA (72-hour window).

    9. Deletion on Disconnect

    On Integration disconnect or Agreement termination, THEIA will delete Integration-originated personal data from active systems within 30 days, subject to legal holds. Client-supplied credentials are deleted within 7 days of disconnect/termination or upon Client revocation.

    10. Sandbox & Testing

    Use non-production endpoints for testing and synthetic or redacted data only.

    11. Changes & Deprecations

    For backward-incompatible changes to GA endpoints, THEIA will provide 90 days’ notice (or as required by security). Beta endpoints may change without notice.

    12. Uptime & Support (Optional SLA)

    Target monthly API availability: 99.5%, excluding scheduled maintenance and force majeure. Support hours: [BUSINESS HOURS & CHANNELS].

    13. Suspension

    THEIA may suspend Integration to address security, abuse, or material violations. THEIA will notify Client without undue delay.

    14. Indemnity (Narrow)

    Each party indemnifies the other for its breach of Sections 3 (Data Minimization), 6 (Security), and 7–9 (Privacy/Incident/Deletion).

    15. Order of Precedence

    This Addendum controls over conflicting terms in the Agreement for Integration-specific issues; the DPA controls for privacy/security.